Mandatory TLS + Client Certificate
Mark A. Richman
I used TinyCA to create a test CA and client cert. Then, I connected
with those certs: openssl s_client -connect markrichman.com:587 -
starttls smtp -CAfile TestCA-cacert.pem -key macpro.local-client-
key.pem -cert macpro.local-client-cert.pem
I get error: "421 4.7.1 dev.markrichman.com Error: No client
certificate presented"
Is this because my .pem files require passwords, or that i haven't
trusted them on my target postfix server?
This is the full conversation:
macpro:~ mark$ openssl s_client -connect markrichman.com:587 -
starttls
smtp -CAfile TestCA-cacert.pem -key macpro.local-client-key.pem -cert
macpro.local-client-cert.pem
Enter PEM pass phrase:
CONNECTED(00000003)
depth=0 /C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
OU=Development/CN=Mark A. Richman/emailAddress=m...@markrichman.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
OU=Development/CN=Mark A. Richman/emailAddress=m...@markrichman.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
OU=Development/CN=Mark A. Richman/emailAddress=m...@markrichman.com
i:/C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
OU=Development/CN=Mark A. Richman/emailAddress=m...@markrichman.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICxzCCAjACCQCbEW0w5Wf8fzANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMC
VVMxEDAOBgNVBAgTB0Zsb3JpZGExETAPBgNVBAcTCFBhcmtsYW5kMR4wHAYDVQQK
ExVFbXBpcmUgU29mdHdhcmUsIEluYy4xFDASBgNVBAsTC0RldmVsb3BtZW50MRgw
FgYDVQQDEw9NYXJrIEEuIFJpY2htYW4xIzAhBgkqhkiG9w0BCQEWFG1hcmtAbWFy
a3JpY2htYW4uY29tMB4XDTA4MDcyOTE3MjYxOFoXDTE4MDcyNzE3MjYxOFowgacx
CzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMREwDwYDVQQHEwhQYXJrbGFu
ZDEeMBwGA1UEChMVRW1waXJlIFNvZnR3YXJlLCBJbmMuMRQwEgYDVQQLEwtEZXZl
bG9wbWVudDEYMBYGA1UEAxMPTWFyayBBLiBSaWNobWFuMSMwIQYJKoZIhvcNAQkB
FhRtYXJrQG1hcmtyaWNobWFuLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAvrpD+tIuZTw6A/rY/aTUyvmX5ZKiX80SyUiw6X0iMAuEJhnkbFmuYCvOyUe4
qXyO0pUnsdlnv+jmJPWIBbAjKryMKELjMV8gfIgQH/pYx0ONGOkTZcqkKA/aU5cf
50SxpUkis1vKRf7nl7iZnImZNmuI7P99hUzV/HXZmQh3VZcCAwEAATANBgkqhkiG
9w0BAQUFAAOBgQAO5yKNEzq+UiKJOwhnAbgNT0xR0lu2hy6h14JoEPfF1aTguEsh
1+mTFZG+TxA5M0u6szY/UEYF5YQmxfWP0R/dRzGBuTezZ7w7L0GhiqFbEK7c1SEL
tZYbLrMqHHFLuxxXzgzh1U3aDoMlNIA1Ly6EVGbuuP6cpUyZ70uOCREawQ==
-----END CERTIFICATE-----
subject=/C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
OU=Development/CN=Mark A. Richman/emailAddress=m...@markrichman.com
issuer=/C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
OU=Development/CN=Mark A. Richman/emailAddress=m...@markrichman.com
---
No client certificate CA names sent
---
SSL handshake has read 1499 bytes and written 347 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
D2AD22703335CE68D7A33EEC9E720F161F7A66754DF565C87FE746DB34D5BA9C
Session-ID-ctx:
Master-Key:
307399617E5AD53BE27607A2CEB9C95DA3B23F3AB3AB2D6B0530200589586E68126A94B1C55
8A656695FBA92DB
Key-Arg : None
Start Time: 1224362418
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
250-dev.markrichman.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
ehlo dev.markrichman.com
421 4.7.1 dev.markrichman.com Error: No client certificate presented
read:errno=0